Simon Birmingham (SA, Liberal Party, Parliamentary Secretary to the Minister for the Environment) Share this | Hansard source

It is a pleasure to rise and speak to the Privacy Amendment (Privacy Alerts) Bill 2014 which was introduced by Senator Singh. I acknowledge her contribution in bringing this to the parliament as a private member's bill to amend the Privacy Act 1988 and to establish a framework for the mandatory notification by government agencies and certain private organisations to notify the Australian Information Commissioner and affected individuals of serious data breaches involving their personal information.

This, of course, reflects a bill that the previous government brought forward last year in 2013. That bill was passed by the House of Representatives on 6 June and brought to the Senate and was considered in rather rapid time by the Senate Legal and Constitutional Affairs Legislation Committee, which reported to the Senate on 24 June 2013. As all speakers to the debate so far have acknowledged, these issues around privacy are critically important, but we do need to equally acknowledge that we have here is a relationship between privacy and the rights of individuals and how that is appropriately dealt with on the one hand and of course then regulation, regulation in particular of parts of the digital economy, and how that is appropriately dealt with on the other hand. We need to make sure that in addressing these two competing issues we get the balance right and that we make sure that the rights of individuals to have confidence in their privacy are strong and respected but that also the enormous contribution that the digital economy can make to our future economic wellbeing and economic growth is not hampered in any way and that we remain a competitive country, and hopefully an even more competitive country, for start-ups and other businesses operating in the digital space to operate.

As I indicated, the previous bill was considered by the Senate Legal and Constitutional Affairs Legislation Committee in the space of just a short couple of weeks. That bill was brought into the Senate, and, for some reason, the government of the day thought it deserved only a rapid-fire consideration by that committee. Concerns were expressed at the time of that committee's report being handed down about the very fast consideration of the bill.

Additional comments provided by former Senator Humphries and departing Senator Boyce highlighted some of those concerns around the speed with which the assessment of this legislation was undertaken and the bill was made available to others outside of this parliament to consider. Their comments at the time highlighted remarks by the Cyberspace Law and Policy Centre of the University of New South Wales Faculty of Law that, because of the very short nature of the Senate inquiry, which reported within a couple of weeks of the bill's passage from the House of Representatives, they had around 10 working hours in which to collaborate on, draft and finalise a submission on what is, as I am sure all senators would acknowledge, a complicated area.

The Australian Privacy Foundation also expressed this concern, citing in their submission to the inquiry:

… the seriously negative impact on the democratic process that is inherent in the provision by the Parliament of only 1-1/2 working days, during which civil society organisations are expected to discuss, draft and finalise a Submission to your Committee.

It was notable at the time that there were no public hearings held and so no opportunity for live testimony as such, and for that exchange of views and opinions that comes with such live testimony and the opportunity for people to assess the merits of the bill and whether it effectively achieves its aim of providing privacy without jeopardising in any way the potential growth of our digital economy.

The bill lapsed before the Senate in advance of the 2013 federal election. So, despite having been rushed through the committee process, it then languished on the Notice Paper under the previous government until the parliament was dissolved.

But, aside from the concerns about the speed of its consideration, there were some concerns at the time from submitters regarding the lack of definition in the legislation that is proposed, and similar concerns, I would imagine, would continue to exist, given the almost identical nature of the legislation that Senator Singh has brought forward now. Those concerns included, in particular, definitional concerns—about what actually constitutes 'a serious breach' and 'a serious harm'. These are genuine concerns. It is reasonable for people to wonder how they can definitely comply with this legislation and what their obligations and responsibilities are. Also, an absence of clear definitions in the legislation creates a circumstance of uncertainty for businesses and agencies which are expected to comply, and, of course, in creating those concerns, you end up with a situation where people are at risk of noncompliance if they are not always erring very much on the side of caution.

The principles of the bill and the principles underpinning it and the remarks we have heard from other senators demonstrate that there is good reason to see further reform in this space—a reform that builds upon the Privacy Act and gives people confidence about how those operating in the digital economy treat matters of privacy and private information and details that are provided to them. The bill is of course intended to strengthen existing voluntary data breach notification frameworks in order to counter what is seen as an underreporting of data breaches and to help prevent or reduce the effects of serious crimes, especially those like identity theft.

The bill and the model that is proposed would require notification to the Office of the Australian Information Commissioner and affected individuals where there has been a data breach which has given rise to a real risk of serious harm to an affected individual. 'Real risk' is defined as a risk that is not a remote risk—a somewhat circular definition, I would note. But this is seen to mean that it would not be required to report less serious privacy breaches to affected individuals or the Office of the Australian Information Commissioner. The requirement to notify would apply to data breaches involving personal information, credit reporting information, credit eligibility information, and tax file number information. The content requirements of notification are, at a minimum: a description of the breach, a list of the kinds of personal information concerned, contact information for affected individuals to obtain more information and assistance, and recommendations about the steps that individuals should take in response to the breach. The Office of the Australian Information Commissioner would have power under the legislation to compel notification to affected individuals where it becomes aware of a serious data breach that has not been notified as a result of an individual's complaint or otherwise and it is in the public interest to do so. The Office of the Australian Information Commissioner would of course have its normal investigative enforcement powers in relation to noncompliance with an obligation to notify. Consistent with the measures of the legislation, a civil penalty would only be available to be sought by the Privacy Commissioner where there has been a serious or repeated noncompliance with mandatory notification requirements.

The government is not opposed to considering proposals that improve data security practices. We are broadly sympathetic to the concerns that drive legislation of this nature. But we do remain concerned that the consultation on the initial legislation was inadequate and that the opposition, in bringing this legislation back to the Senate, has done little to rectify that. We are not just concerned about the consultation by the executive of the previous government in drafting the legislation but also, as I have outlined, by the availability of time for consultation by the relevant Senate committee when considering this legislation, as identified by a number of those who made submissions to that inquiry.

We do think there is more work to be done in consulting more broadly on the implications of a mandatory notification scheme. Unlike those opposite, it is not the default position of this government that everything is always solved by a legislative or regulatory outcome. There are circumstances where you can get good outcomes without recourse to the law or the need to legislate or regulate further. This may or may not fall into one of those categories; what we want to do is give it full and proper consideration to make sure the broad principles of privacy are respected but also that it does not impose an excessive regulatory burden on industry.

We are, as a government, very determined and very eager to see growth in the digital economy space. We want to make sure we spur innovation. This is the type of industry, and the sector of our economy, that provides enormous opportunity for future growth. It reflects the highly educated workforce of Australia, giving the opportunities we would hope for the employment and growth of that highly educated workforce. We are working steadily and carefully to implement policies that drive further innovation in the digital economy.

Just one of the ways we are doing that—and it is a way that is related in some part to this legislation—is through our approach to open data and open data sources and ensuring that, as a government, we take all the steps we can to spur innovation through open data access. Government controlled data has been identified by many around the world to be of immense economic value. A 2013 report by McKinsey & Company researchers estimates there is $3-$5 trillion in economic value annually from open data across seven different sectors in the United States. So far, we have managed to add dramatically to the availability of information and data across government since our election in September. In fact, 85 per cent of the data that is available through data.gov.au has been added since the coalition was elected last September—a dramatic increase in the amount of information available to Australian innovators and users.

Mr Turnbull, as the Minister for Communications, working with his department, Geoscience Australia and the finance portfolio, in particular, has been striving to deliver on our election commitments on e-government and the digital economy, particularly on our commitment to driving this approach to open data access. A senior working group to identify datasets of high value to the economy has been established in the Communications portfolio, providing leadership across government in achieving the significant growth we have had. More than 20 high-value government datasets have been identified thus far—covering areas such as geocoded addressing, finance, energy and infrastructure—which we believe as a government can, if made open and available, provide real economic returns through their utilisation by businesses and innovators across the economy.

Importantly, government is working to make sure that any such data released is anonymised, where appropriate, to protect privacy. That is obviously a key criterion in our approach to the provision of open data access. We give a firm commitment that, while we work to provide more information and a greater stream of knowledge that can be accessed by the private sector for wealth generation across the economy, we will of course be very careful, taking each dataset one at a time to make sure we have appropriate protections and precautions around privacy.

We will be releasing more such datasets around this year's GovHack competition in July and August, which encourages coders to make use of government data to design new apps like TripView. It is important to realise that this is the type of innovation that can lead both to efficiency and savings across government and to areas of economic growth. By being open as a government and making our data sources and IT as accessible as possible, people can see opportunities to do things more efficiently. That has certainly been the case in the United Kingdom where the reforms of the Cameron government, under the GOV.UK website, have dramatically streamlined what the government has been able to achieve in the digital world. The UK government have cut back on a lot of their unnecessary online presence to provide a government interface for voters and residents of the UK that is genuinely user-friendly and focused on the key outcomes they expect from their government. It has been made far more user-friendly and achieves far greater satisfaction ratings across the UK in terms of the use of government information. Importantly, it has also achieved very significant savings in the UK—hundreds of millions of pounds worth of savings—in terms of the procurement of IT systems, the cost of running government websites and the overall cost of government interaction with the digital economy.

It is a real win-win, because satisfaction with government websites has gone up dramatically whilst the cost of operation has gone down dramatically. This has come through not just a commitment to be more responsive to community needs but also, importantly, a commitment to open data and open government principles which ensure that all of the information that underpins gov.uk is openly available. Obviously, an individual's personal data is protected, but all of the structural information that underpins that transformation that the UK has been on is openly available for other countries to be able to access.

I certainly hope that Australia, at the Commonwealth level and across all the states and territories, will look very closely at the UK model and will develop it for their own needs. We need to make sure that we follow a similar approach of streamlining government online presence so that residents of Australia have a single portal, a single access point, and get high satisfaction by being able to find easy answers to the things they need, or by being able to have an easy interaction with the government services that they seek. We need to do this in a manner that, hopefully, can also provide some cost savings.

We are, as a government, determined to drive the digital economy space, but to do so in a way that protects privacy principles to the utmost. We do not necessarily oppose this legislation, but we do think it needs far greater consultation, and we think it is appropriate for us to look closely at it and ensure— (Time expired)